Why Cisco’s new intent-based networking could be a big deal

Scentsy, a $500 million manufacturer and seller of wickless candles, got an early look at what Cisco and some analysts are saying could be the next big thing in the network industry: Intent-based networking.

“I think this could be a pretty big shift in terms of the paradigm of network management,” says Kevin Tompkins, network architect at the company. “We’re getting away from managing individual devices and into having a central, globally managed policy, all controlled from one place that pervades through the network.”This week Cisco released a series of new hardware and software capabilities that it says use machine learning technology to provide advanced network automation. The system allows users to express policies and have a software platform that executes and maintains the desired state of the network.

Cisco Twitter

What is intent-based networkin?

The first thing to know about Intent-based networking is that it is very early days. “Intent-based networking is nascent, but could be the next big thing in networking, as it promises to improve network availability and agility, which are key as organizations transition to digital business,” Gartner analyst Andrew Lerner wrote in a recent report.

Intent based networking systems (IBNS) have four components, Lerner says:

1. An end user can express desired policies and state of the network, either through commands, a graphic interface or through application programming interfaces (APIs). The IBNS can verify whether the intent of the network can be met. Lerner likened this to entering the destination address into a GPS.

2. The IBNS has automated abilities to configure the network based on the policies and desired state. For example, a user could specify that a certain level of security be applied to specific applications, and the IBNS could assign specific security policies based on user role, device or time. The IBNS has the ability to configure the necessary firewalls, vLANs and other technologies within the network to satisfy the request.

3. IBNS collect a repository of network data, including logs of traffic and streaming telemetry so that the system can constantly assess the state of the network and determine the best way to implement the desired state.

4. The IBNS has the ability to dynamically optimize and remediate the state of the network to ensure policies are enforced. For example, if a certain segment of the network is down, the IBNS would have the ability to automatically re-route traffic to ensure the policy is enforced appropriately. In the GPS analogy, this would be like the system rerouting a driver around a closed road or traffic jam.

A key component of an IBNS is that it provides mathematical validation that the expressed intent of the network can be and is implemented within the network, and that it has the ability to take real-time action if the desired state of the network is misaligned with the actual state.

An IBNS is, in theory, a software platform that can be agnostic to the hardware that it runs on.

The idea of IBNS has been around for a couple of years, Lerner says, but there have been very few platforms that can enable it. A handful of startups, such as Apstra, Veriflow and Forward Networks have some early components of IBNS in various product offerings. Lerner estimates there are less than 15 intent based-networking platforms in production deployments today, but the number could grow to more than 1,000 by 2020.

What Cisco announced

Now Cisco has jumped into the IBNS market with a series of new software and hardware components that customers can purchase either as an integrated package or separately, with the software available a la carte via subscription. Many of these components are built on Cisco’s Digital Network Architecture (DNA) and will be available in Cisco ONE Software. They include:

Cisco

 - DNA Center: A new software dashboard where users manage policy creation and provisioning, and get validation that policies are in place (set to be available in August 2017).

- SD-Access: New software that manages automated policy enforcement and network segmentation (set to be available in November 2017).

- Network Data Platform: A new repository that categorizes and correlates network data (set to be available in November 2017).

- Encrypted Traffic Analysis (ETA):Software that analyzes metadata of encrypted traffic to detect vulnerabilities (set to be available in September 2017).

Cisco

- New series of Catalyst 9000 hardware switches, including the Catalyst 9300 and 9500 (available for ordering now) and the 9400 (set to be orderable in July 2017). These switches are meant to be deployed throughout the campus.

Prashanth Shenoy, VP of enterprise network marketing at Cisco, says many of today’s networks were designed for what he calls the Internet-era to run voice, video and data. Businesses now need the network to run mobile, cloud and IoT applications with advanced security. A new network platform is needed to manage the scale of devices connecting to the network, the threats posed to it and the explosion of data generated.

“What we’ve announced has fundamentally redesigned how we help our customers design, manage and scale their networks,” says Shenoy. “We’re calling that a network that is intuitive, one that can constantly learn from itself and from the data it sees, constantly adapt to the changing business demands and then constantly protect against advanced threats.”

But Lerner, the Gartner analyst, says that all together, the software and hardware components Cisco announced do not amount to a full-fledged IBNS. “It’s a platform that should enable intent driven network management in the future,” he says. “Except for some discrete, tight use cases around configuration, it’s not quite completely glued all together yet.”

The system at this point, he says, lacks the ability to take a policy defined at a high level and have the system configure the network to match the desired state. As of now, Lerner believes the system still has a degree of network configuration intricacies and nuances that could make it difficult to onboard. As Cisco develops the product he expects more abstractions will be created to push it closer to an IBNS.

What it will be used for

Tompkins, the Scentsy network architect, is optimistic the advanced automation capabilities Cisco announced this week will be benefit his 125-person IT shop that runs the company’s development, ecommerce and logistics operations.

Scentsy was an early customer of Cisco’s Unified Computing System (UCS), is running Cisco’s Application Centric Infrastructure (ACI) and is one of the few customers that has trialed the intent-based networking gear.

During the recent Wannacry vulnerability, Tompkins wanted to ensure that a specific port was shut down throughout his network and an intent-based system could execute that policy change easily, he says. Doing that process manually is not only cumbersome, but a potential security risk because it’s difficult to ensure the ports have been shut down on all devices.

Tompkins is also excited about the ability to more granularly enforce policies based on user activity and role. A system like this could, for example, ensure that workers only have access to core company data during normal business hours. “These are decisions made at the policy level, and applied at the network level,” and he says they’re done without managing the “minutiae of access controls.”

Rohit Mehra, vice president of network infrastructure at IDC says elements of intent-based networking, specifically around policies and context, have been around for a while. “This is taking policy enforcement to the next level,” he says. “It uses a combination of intent and context, based on what the application is, who the user is, what the device is, and automates the network management to actually get to the desired state of what you want the network to do,” he says.

Cisco did not release pricing details for the new software and hardware it announced this week.